Audit messages: Log structure question

hi!

I have enabled message auditing in my WF 3.1 server and it is working great. I have few questions though :

Q1. why are the messages written twice in the log ? I am not an XMPP master, so if it is specific to the protocol, then i’'ll have to do with it. Otherwise, may somebody help me ?

Here is an example of what I get :

<packet xmlns=“http://www.jivesoftware.org” streamID=“f92b84a6” status=“auth” timestamp=“9 avr. 2007 01:26:22”>

<message xmlns="" id=“m_8” type=“normal” to="elfebleu@ewe.com" from="schyzo@ewe.com/xiff">

<body>

ca marche

</body>

</message>

</packet>

<packet xmlns=“http://www.jivesoftware.org” streamID=“b54893d1” status=“auth” timestamp=“9 avr. 2007 01:26:22”>

<message xmlns="" id=“m_8” type=“normal” to="elfebleu@ewe.com" from="schyzo@ewe.com/xiff">

<body>

ca marche

</body>

</message>

</packet>

<packet xmlns=“http://www.jivesoftware.org” streamID=“b54893d1” status=“auth” timestamp=“9 avr. 2007 01:26:42”>

<message xmlns="" id=“m_7” type=“normal” to="schyzo@ewe.com" from="elfebleu@ewe.com/xiff">

<body>

comment va ?

</body>

</message>

</packet>

<packet xmlns=“http://www.jivesoftware.org” streamID=“f92b84a6” status=“auth” timestamp=“9 avr. 2007 01:26:42”>

<message xmlns="" id=“m_7” type=“normal” to="schyzo@ewe.com" from="elfebleu@ewe.com/xiff">

<body>

comment va ?

</body>

</message>

</packet>

Q2. I don’'t understand why in some log files, xml tags are not closed correctly, it seems to be the case of recent logs. Older ones are okay.

I get this error when I try to visualize the xml file in IE:

The following tags were not closed: jive.

Error processing resource

''http://localhost/toronto/jive.audit-20070410-000.log.x…

So my questions are : how frequently the log file is written ? As I have One2One sessions only, is the log file created with every session or can it hold multiuser chat messages, I mean is it created per chat session or per day ? Finally why isn’'t the XML tag closed properly ?

Thanks for your help

any idea ?

I can’'t help you in this matter, but I would encourage you to have a little patience while waiting for answers. This is a very active community, but it can take easily one day to get many reads and some answers…

Hi,

@Q2: Wildfire may keep the log files open until it rotates them. So the current one will always be missing the element.

@Q1: I would assume that Wildfire writes the received and the sent messages to the file. This would make sense as a plugin may modify the content and a message may be stored in the offline store.

But as the to= and from= addresses do not change this is not really the case.

Also received packets are processed by the content filter before they are written to the audit log file, I wonder if these are bugs of the audit log method.

LG

Thanks for answering

Q1. I have the 3.1 server, so there is no Content Filter plugin (it requires the 3.2 version). But I will try to disable the Offline Messages and see what happens then. I’'ll keep you informed.

Q2. Is there a way to detect the current log file being used ? I am about to write a perl script that will copy them to another directory then process them, so I guess the only way is to move all files and leave the most recent one ? or to open the files one by one and search the </jive> string ?

the problem is persisting, i have disabled the offline messages to check if they could have caused that, but it seems they have nothing to do in it.

All the messages are doubled!

Hi,

it seems to be a bug … or a feature so I hope Gato can give some more details about this.

LG

Hey guys,

When userA sends a message to userB the auditor will generate two entries in the audit log. If you check the streamID is different in each case. The reason is that the first audit is saying: a message was received from userA (printing the ID of the session used by userA) and the second audit record is saying: a message was sent to userB printing the streamID (session ID) of userB.

Regards,

– Gato